Upgrade deps to get it running on python 3.13

Some hacks on cgi and crypt, which have been removed in core.

Some checks performed, but needs more testing. Some things can be
serialized wrongly. Before serializing an entity would end up as the ID,
now it will end up in an error, but most of those places can be changed
to `.id` to get it similar to earlier.

Author: omega

requirements.txt

@@ -7,62 +7,62 @@
 
 attrs==20.2.0
 bcrypt==3.1.7
-blinker==1.4
+blinker==1.8.2
 cachetools==4.1.1
 certifi==2020.6.20
 cffi==1.14.5
 chardet==3.0.4
 charset-normalizer==2.0.3
-click==7.1.2
+click==8.1.7
 cssselect==1.1.0
 cssutils==1.0.2
 cycler==0.10.0
 emails==0.6
-Flask==1.1.2
-Flask-Bcrypt==0.7.1
-Flask-Bower==1.3.0
+Flask==3.0.3
+Flask-Bcrypt==1.0.1
+Flask-Bower==2.0.0
 Flask-Env==2.0.0
-Flask-Inputs==0.3.0
-Flask-Login==0.5.0
-Flask-SQLAlchemy==2.4.4
-Flask-Testing==0.8.0
-future==0.18.2
+Flask-Inputs==1.0.0
+Flask-Login==0.6.3
+Flask-SQLAlchemy==3.1.1
+Flask-Testing==0.8.1
+future==1.0.0
 gunicorn==20.0.4
 idna==2.10
 iniconfig==1.1.1
-itsdangerous==1.1.0
-Jinja2==2.11.3
+itsdangerous==2.2.0
+Jinja2==3.1.4
 jsonschema==3.2.0
-kiwisolver==1.3.2
+kiwisolver==1.4.7
 ldif3==3.2.2
-lxml==4.9.1
-MarkupSafe==1.1.1
-matplotlib==3.4.3
+lxml==5.3.0
+MarkupSafe==3.0.1
+matplotlib==3.9.2
 nose==1.3.7
-numpy==1.23.1
+numpy==2.1.2
 packaging==21.0
 paho-mqtt==1.5.1
-pandas==1.3.5
-Pillow==9.0.1
+pandas==2.2.3
+Pillow==11.0.0
 pluggy==1.0.0
 premailer==3.7.0
-psycopg2-binary==2.9.5
+psycopg2-binary==2.9.10
 py==1.10.0
 pycparser==2.20
 pyparsing==2.4.7
 pyrsistent==0.17.3
 pytest==6.2.5
-python-dateutil==2.8.1
+python-dateutil==2.8.2
 pytz==2021.1
-PyYAML==5.4
+PyYAML==6.0.2
 requests==2.26.0
-six==1.15.0
-SQLAlchemy==1.3.20
-SQLAlchemy-Continuum==1.3.11
-SQLAlchemy-Utils==0.36.8
+six==1.16.0
+SQLAlchemy==2.0.36
+SQLAlchemy-Continuum==1.4.2
+SQLAlchemy-Utils==0.41.2
 stripe==5.5.0
 toml==0.10.2
 typing==3.7.4.3
 urllib3==1.26.6
-Werkzeug==1.0.1
-WTForms==2.3.3
+Werkzeug==3.0.4
+WTForms==3.1.2

web/src/cgi.py

@@ -0,0 +1,9 @@
+
+from email.message import Message
+
+def parse_header(header):
+    msg = Message()
+    msg.add_header('content-type', header)
+    r = msg.get_param('charset')
+    if r:
+        return r

web/src/crypt.py

@@ -0,0 +1,117 @@
+# SHAcrypt using SHA-512, after https://akkadia.org/drepper/SHA-crypt.txt.
+#
+# Copyright © 2024 Tony Garnock-Jones.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+import hashlib
+import secrets
+
+alphabet = \
+    [ord(c) for c in './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz']
+permutation = [
+    [0, 21, 42], [22, 43, 1], [44, 2, 23], [3, 24, 45],
+    [25, 46, 4], [47, 5, 26], [6, 27, 48], [28, 49, 7],
+    [50, 8, 29], [9, 30, 51], [31, 52, 10], [53, 11, 32],
+    [12, 33, 54], [34, 55, 13], [56, 14, 35], [15, 36, 57],
+    [37, 58, 16], [59, 17, 38], [18, 39, 60], [40, 61, 19],
+    [62, 20, 41], [-1, -1, 63],
+]
+def encode(bs64):
+    result = bytearray(4 * len(permutation))
+    i = 0
+    for group in permutation:
+        g = lambda j: bs64[j] if j != -1 else 0
+        bits = g(group[0]) << 16 | g(group[1]) << 8 | g(group[2])
+        result[i] = alphabet[bits & 63]
+        result[i+1] = alphabet[(bits >> 6) & 63]
+        result[i+2] = alphabet[(bits >> 12) & 63]
+        result[i+3] = alphabet[(bits >> 18) & 63]
+        i = i + 4
+    return bytes(result).decode('ascii')[:-2]
+
+def repeats_of(n, bs): return bs * int(n / len(bs)) + bs[:n % len(bs)]
+def digest(bs): return hashlib.sha512(bs).digest()
+
+def crypt(password, salt = None, rounds = 5000):
+    if salt is None: salt = encode(secrets.token_bytes(64))[:16].encode('ascii')
+    salt = salt[:16]
+
+    B = digest(password + salt + password)
+    Ainput = password + salt + repeats_of(len(password), B)
+    v = len(password)
+    while v > 0:
+        Ainput = Ainput + (B if v & 1 else password)
+        v = v >> 1
+    A = digest(Ainput)
+
+    DP = digest(password * len(password))
+    P = repeats_of(len(password), DP)
+    DS = digest(salt * (16+A[0]))
+    S = repeats_of(len(salt), DS)
+
+    C = A
+    for round in range(rounds):
+        Cinput = b''
+        Cinput = Cinput + (P if round & 1 else C)
+        if round % 3: Cinput = Cinput + S
+        if round % 7: Cinput = Cinput + P
+        Cinput = Cinput + (C if round & 1 else P)
+        C = digest(Cinput)
+
+    if rounds == 5000:
+        return '$6$' + salt.decode('ascii') + '$' + encode(C)
+    else:
+        return '$6$rounds=' + str(rounds) + '$' + salt.decode('ascii') + '$' + encode(C)
+
+#---------------------------------------------------------------------------
+
+def extract_salt_and_rounds(i): # i must be '$6$...'
+    pieces = i.split('$')
+    if pieces[1] != '6': raise TypeError('shacrypt512 only supports $6$ hashes')
+    if pieces[2].startswith('rounds='):
+        rounds = int(pieces[2][7:])
+        if rounds < 1000: rounds = 1000
+        if rounds > 999999999: rounds = 999999999
+        return (pieces[3].encode('ascii'), rounds)
+    else:
+        return (pieces[2].encode('ascii'), 5000)
+
+def password_ok(input_password, existing_crypted_password):
+    (salt, rounds) = extract_salt_and_rounds(existing_crypted_password)
+    return existing_crypted_password == shacrypt(input_password, salt, rounds)
+
+if __name__ == '__main__':
+    _test_password = 'Hello world!'.encode('ascii')
+    _test_salt = 'saltstring'.encode('ascii')
+    _test_rounds = 5000
+    _test_crypted_password = '$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1'
+    assert shacrypt(_test_password, _test_salt, _test_rounds) == _test_crypted_password
+    assert password_ok(_test_password, _test_crypted_password)
+
+    _test_password = 'Hello world!'.encode('ascii')
+    _test_salt = 'saltstringsaltstring'.encode('ascii')
+    _test_rounds = 10000
+    _test_crypted_password = '$6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v.'
+    assert shacrypt(_test_password, _test_salt, _test_rounds) == _test_crypted_password
+    assert password_ok(_test_password, _test_crypted_password)
+
+    import sys
+    salt = None if len(sys.argv) < 2 else sys.argv[1].encode('ascii')
+    print(shacrypt(sys.stdin.readline().strip().encode('utf-8'), salt))

web/src/p2k16/core/tool.py

@@ -14,6 +14,23 @@ class DummyClient(object):
     pass
 
 
+def tool_event_to_json(event: Event):
+    if type(event) is ToolCheckoutEvent:
+        return {**model_to_json(event), **{
+            "domain": event.domain,
+            "name": event.name,
+            "int1": event.int1,
+            "created_at": event.created_at
+        }}
+    elif type(event) is ToolCheckinEvent:
+        return {**model_to_json(event), **{
+            "domain": event.domain,
+            "name": event.name,
+            "int1": event.int1,
+            "created_at": event.created_at
+        }}
+
+
 @event_management.converter_for("tool", "checkout")
 class ToolCheckoutEvent(object):
     def __init__(self, tool_name: str, created_at: Optional[datetime] = None, created_by: Optional[Account] = None):
@@ -31,7 +48,7 @@ def from_event(event: Event) -> "ToolCheckoutEvent":
     def to_dict(self):
         return {**event_management.base_dict(self), **{
             "created_at": self.created_at,
-            "created_by": self.created_by,
+            "created_by": self.created_by.id,
             "created_by_username": self.created_by.username,
             "tool_name": self.tool_name
         }}
@@ -54,7 +71,7 @@ def from_event(event: Event) -> "ToolCheckinEvent":
     def to_dict(self):
         return {**event_management.base_dict(self), **{
             "created_at": self.created_at,
-            "created_by": self.created_by,
+            "created_by": self.created_by.id,
             "created_by_username": self.created_by.username,
             "tool_name": self.tool_name
         }}

web/src/p2k16/web/server.py

@@ -6,7 +6,7 @@
 import flask_bower
 import flask_login
 import werkzeug.exceptions
-from flask.json import JSONEncoder
+from json import JSONEncoder
 from p2k16.core import P2k16UserException, P2k16TechnicalException, membership_management
 from p2k16.core import make_app, auth, door, mail, tool, label
 from p2k16.core.log import P2k16LoggingFilter

web/src/p2k16/web/tool_blueprint.py

@@ -62,7 +62,7 @@ def tool_to_json(tool: ToolDescription):
         checkout_model = {
             "active": True,
             "started": checkout.started,
-            "account": checkout.account,
+            "account": checkout.account.id,
             "username": checkout.account.username,
         }
     else:
@@ -72,7 +72,7 @@ def tool_to_json(tool: ToolDescription):
 
 
     return {**model_to_json(tool), **{
-        "name": tool.name, 
+        "name": tool.name,
         "description": tool.description,
         "circle": tool.circle.name,
         "checkout": checkout_model,